× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Re: OpenVPN client issues / cannot connect remotely / Orbi RBR850

pandabe4r
Tutor

OpenVPN client issues / cannot connect remotely / Orbi RBR850

I have a weird issue trying to set up the VPN service my new Orbi RBR850 router. Here's what I have configured so far, following the guide found here:

  1. I have enabled the VPN service under Advanced tab and set everything to default UDP and port 12973 port. Changed last option to "all sites on the Internet & Home network".

  2. Downloaded the latest OpenVPN client (11.25) to my Windows 10 laptop and installed using defaults.

  3. Downloaded the configuration files from my router and unzipped them into both "C:\Programfiles\OpenVPN\config\" and "C:\Users\{userprofile}\OpenVPN\config\client1"

  4. Renamed the VPN network adapter in Windows from " TAP-Windows Adapter" to " NETGEAR-VPN".

  5. Connect laptop to a remote network and launch OpenVPN, connect.

  6. First error indicated that it couldn't find the route gateway and wouldn't connect successfully. Fixed this by adding the following line to the OpenVPN config file "route-gateway 192.168.1.1" which is the default for Orbi routers.

  7. Now the agent will successfully connect, and I can see the device in NAT. In the Orbi app, I can see my device get assigned a private IP from my network. However, I cannot connect with any other devices on the network, including the router. I cannot ping any of them nor browse the Internet. My device is on the same subnet as all my other devices as I only have one subnet.

  8. I have tried turning off my firewall on Windows 10 to test with no luck.

Any ideas what would cause this?

Message 1 of 6

Accepted Solutions
pandabe4r
Tutor

Re: OpenVPN client issues / cannot connect remotely / Orbi RBR850

SOLVED!

 

So I decided to go with the latest OpenVPN Connect client that exclusively uses TUN.
https://openvpn.net/downloads/openvpn-connect-v3-windows.msi

 

I then edited the .ovpn config file before importing to change the default to TUN and the port to 12973. See below. 

 

After importing, I connected just fine and am able to connect to all my devices, RDP, and browse internet. 

 

Don't know why Orbi's instructions point to the older 2.5 client, but the latest version is the way to go.

 

client
dev tun
proto udp
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
dev-node NETGEAR-VPN
remote XXXXXXX.mynetgear.com 12973
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0

View solution in original post

Message 6 of 6

All Replies
CrimpOn
Guru

Re: OpenVPN client issues / cannot connect remotely / Orbi RBR850


@pandabe4r wrote:

I have a weird issue trying to set up the VPN service my new Orbi RBR850 router. Here's what I have configured so far, following the guide found here

I have enabled the VPN service under Advanced tab and set everything to default UDP and port 12973 port. Changed last option to "all sites on the Internet & Home network".


I found getting OpenVPN to work very confusing and frustrating.  Eventually, I got OpenVPN working with two separate Orbi systems on Android, Linux, and Windows clients.  in other words..... I am certainly no 'expert', but it does work.

 

On my Orbi (the older, RBR50 model), VPN listens for connections on two ports:

  • Port 12973 for tun connections
  • Port 12974 for tap connections

Internet searches (I am trying not to say "Google Search", but it's a hard habit to break) will explain the difference between tun and tap.

The important part (to me) is that they are different.  If an OpenVPN Client connection designed for tap tries to connect to an OpenVPN host designed for tun, it will fail.  (And the reverse.)

The client.ovpn file that my Orbi produces for Windows very clearly specifies tap on port 12974.

 


@pandabe4r wrote

Connect laptop to a remote network and launch OpenVPN, connect.


Can you be a bit more specific about this? My 'sense' is that the laptop was taken to another place where it could connect to a different network.  Is this correct?  (My own test practice is to disconnect my smartphone from the Orbi WiFi, which causes it to revert to LTE data. Then open a "Hot Spot" and connect the laptop to that.  My point is that this test has the laptop in no way connected to the Orbi network.

 


@pandabe4r wrote First error indicated that it couldn't find the route gateway and wouldn't connect successfully. Fixed this by adding the following line to the OpenVPN config file "route-gateway 192.168.1.1" which is the default for Orbi routers.

I have never added such a line to my client.ovpn file.

Message 2 of 6
pandabe4r
Tutor

Re: OpenVPN client issues / cannot connect remotely / Orbi RBR850

As I undertsand it, OpenVPN client versions prior to 3.x support both TUN and TAP connections. Starting with version 3.0, the client only supports TUN. If you want your device to be able to communicate with other devices on your network when connecting, it must use TAP. TUN is just for access to the Internet it seems, for example if you're traveling in another country and you're tryign to watch Netflix in your own country.

 

With that said, I'm using OpenVPN client 2.5, which supports both TAP and TUN protocols.

 

Currently I am physically remote trying to connect back to my router using vpn.

 

Here's my config (I have X out my DDNS hostname):

 

client
dev tap
proto udp
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
dev-node NETGEAR-VPN
remote xxxxxxx.mynetgear.com 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0
route-gateway 192.168.1.1

Message 3 of 6
CrimpOn
Guru

Re: OpenVPN client issues / cannot connect remotely / Orbi RBR850

I forgot to ask that the Orbi is the only router.  i.e. the Orbi WAN IP is the public IP?

 

The Windows ovpn file created by my Orbi looks like this:

client
dev tap
proto udp
dev-node NETGEAR-VPN
remote xxxxxx.mynetgear.com 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0
sndbuf 393216
rcvbuf 393216
route-method exe

There is no 'gateway' in my ovpn file.

 

My understanding of the tun/tap difference is that tap puts the VPN client in the same IP subnet as the Orbi LAN, and thus all broadcast messages go across the VPN tunnel (in both directions). Here's how Wikipedia describes it:

https://en.wikipedia.org/wiki/TUN/TAP 

Though both are for tunneling purposes, TUN and TAP can't be used together because they transmit and receive packets at different layers of the network stack. TUN, namely network TUNnel, simulates a network layer device and operates in layer 3 carrying IP packets. TAP, namely network TAP, simulates a link layer device and operates in layer 2 carrying Ethernet frames. TUN is used with routing. TAP can be used to create a user space network bridge.

 

The configuration files Orbi produces for Windows and 'non-Windows' (i.e. Linux) both specify tap as the default.  The configuration file Orbi produces for 'smartphones' specified tun because iPhones and Android phones are restricted to using tun. Both tap and tun allow access to devices on the LAN.  (I just verified this with my Android phone using tun)

 

When my Android phone opens a VPN connection to the Orbi, it gets an IP address of 192.168.2.2.  The gateway is 192.168.2.1 (the Orbi).  However, if I ping 192.168.1.4 (my printer), the printer responds. The Orbi routes between subnets 2.x and 1.x automatically.

Message 4 of 6
CrimpOn
Guru

Re: OpenVPN client issues / cannot connect remotely / Orbi RBR850

Another "gotcha" in the tap/tun situation is that it is essential that the device running OpenVPN not have an IP address in the same subnet as the Orbi LAN.  Imagine this:

 

  • A computer is connected to the LAN network of a router and is assigned an IP address of 192.168.1.x1 with subnet mask 255.255.255.0
  • OpenVPN is run on the computer and connected to a tap connection on the Orbi router. Orbi assigns an IP address of 192.168.1.x2 with a subnet mask of 255.255.255.0
  • Where is subnet 192.168.1.x?  Is it on the native ethernet/WiFi port where the computer is 192.168.1.x1, or is it on the OpenVPN port where the computer has IP address 192.168.1.x2?

For me, this has never been an issue because I typically connect to a Hot Spot on my phone, which hands out 192.168.43.x IP addresses.  All subnets from 0 through 254 are valid private IP addresses.  Maybe some engineer was thining ahead, "what if someone attempts to open a VPN on this phone's Hot Spot?"  Or, maybe just dumb luck.

 

So, when OpenVPN was tested remotely, what was it connected to?  What IP address did it have?

Message 5 of 6
pandabe4r
Tutor

Re: OpenVPN client issues / cannot connect remotely / Orbi RBR850

SOLVED!

 

So I decided to go with the latest OpenVPN Connect client that exclusively uses TUN.
https://openvpn.net/downloads/openvpn-connect-v3-windows.msi

 

I then edited the .ovpn config file before importing to change the default to TUN and the port to 12973. See below. 

 

After importing, I connected just fine and am able to connect to all my devices, RDP, and browse internet. 

 

Don't know why Orbi's instructions point to the older 2.5 client, but the latest version is the way to go.

 

client
dev tun
proto udp
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
dev-node NETGEAR-VPN
remote XXXXXXX.mynetgear.com 12973
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 6656 views
  • 1 kudo
  • 2 in conversation
Announcements

Orbi 770 Series